< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27032:2023 — Cybersecurity — Guidelines for Internet security (second edition)
Abstract
“[ISO/IEC 27032:2023] provides:
[Source: ISO/IEC 27032:2023]
Introduction
ISO/IEC 27032 addresses Internet security i.e. “protecting Internet-related services and related ICT systems and networks as an extension of network security”.
Scope and purpose
The abstract above covers the scope and purpose.
The introduction notes that “This document does not specifically address controls that organizations can require for systems supporting critical infrastructure or national security. However, most of the controls mentioned in this document can be applied to such systems.” In other words it primarily concerns the ordinary everyday network security threats facing all Internet users, particularly businesses rather than the more extreme spooky threats of concern in the governmental and defence domain.
Structure and content
The five main sections are:
- Relationship between Internet security, web security, network security and cybersecurity.
- Overview of Internet security.
- Interested parties.
- Internet security risk assessment and treatment.
- Security guidelines for the Internet.
Annex A. Cross-references between this document and ISO/IEC 27002.
The annex cites a reasonable assortment of 50 controls from ISO/IEC 27002:2022
- 25 Organizational controls;
- 2 People controls;
- 0 Physical controls; and
- 23 Technological controls.
Status of the standard
The first edition was published in 2012.
The second, thoroughly revised edition was published in 2023.
Personal comments
See also ISO/IEC 27100.
Over the last decade or so, “cyber” as in “cybersecurity” has gradually become a buzzier buzzword and yet doubts and disagreements over what it actually means persists. SC 27 had the opportunity to clarify cyber-related terms when revising this standard but the second edition simply reproduces the definition of cybersecurity from ISO/IEC TS 27100:2020 vis “safeguarding of people, society, organizations and nations from cyber risks Note 1 to entry: Safeguarding means to keep cyber risk at a tolerable level.” ... but fails to define “cyber risk”, failing yet again to clarify what it is that we are supposedly being safeguarded against. Other cyber terms defined in the first edition have simply been dropped.
Meanwhile, the second edition remains myopically focused on deliberate attacks perpetrated via the Internet by hackers, malware, phishers and spammers.
I’ve taken the liberty of elaborating on the scope diagram from the standard, highlighting in yellow the coverage area and adding an outer circle for the field of information security as a whole:
< Previous standard ^ Up a level ^ Next standard >
|